b"                            SOCIAL SECURITY\n                                                                        Inspector General\n                                     March 11, 2003\n\n\nMEMORANDUM FOR THE HONORABLE GREGORY H. FRIEDMAN\n                   INSPECTOR GENERAL\n                   DEPARTMENT OF ENERGY\n\nSUBJECT: Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure and Use of Social\nSecurity Numbers by External Entities\n\n\nBecause of concerns related to perceived widespread sharing of personal identifying\ninformation and occurrences of identity theft, the Chairman of the Subcommittee on\nSocial Security, House Ways and Means Committee, asked my office to look at the way\nFederal agencies disseminate and control the use of Social Security numbers (SSN). In\nconsultation with the President's Council on Integrity and Efficiency, my office agreed to\nserve as the audit lead for participating Office of Inspectors General (OIG) and prepare\nthe final report.\n\nEach OIG assessed its respective agency's controls over the access, disclosure and\nuse of SSNs by external entities. Specifically, OIGs determined whether their agencies\nhad adequate controls over\n\n   \xc2\xb7   disclosures of SSNs to external entities,\n\n   \xc2\xb7   contractors' access to and use of SSNs,\n\n   \xc2\xb7   non-Government/non-contractor entities' access to and use of SSNs, and\n\n   \xc2\xb7   access to individuals' SSNs maintained in agency databases.\n\nWe received information from 15 OIGs. Most OIGs reported their agencies had\ninadequate controls over (1) contractors' access to and use of SSNs and (2) access to\nindividuals' SSNs maintained in agency databases. Based on this information, we\nconcluded that Federal agencies would benefit by strengthening some of their controls\nover the access, disclosure and use of SSNs by external entities.\n\nMost OIGs either have issued or will be issuing individual reports to their respective\ndepartments or agencies. These reports make recommendations for corrective actions\nat the department or agency level.\n\n\n\n\n              SOCIAL SECURITY ADMINISTRATION       BALTIMORE MD 21235-0001\n\x0cPage 2 \xe2\x80\x93 The Honorable Gregory H. Friedman\n\n\n\nIf you have any questions regarding this report, please contact me or have your staff\ncontact Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n                                               Sincerely,\n\n\n\n\n                                               James G. Huse, Jr.\n\nAttachment\n\x0c           PRESIDENT'S COUNCIL on INTEGRITY & EFFICIENCY\n\n                                                     March 17, 2003\n\n\nMEMORANDUM FOR THE PRESIDENT'S COUNCIL ON INTEGRITY\n            AND EFFICIENCY MEMBERS\n\n\n\nFROM:\n                   Gaston L. Gianni, Jr.\n                   Vice Chair\n\n\n\nSUBJECT:           Federal Agencies' Controls over the Access, Disclosure and\n                   Use of Social Security Numbers by External Entities\n\n\nDue to public concern over the sharing of personal information and instances of identity theft,\nthe Honorable Clay Shaw, Chairman of the Subcommittee on Social Security, House Ways and\nMeans Committee, requested a review on how Federal agencies disseminate and control the use\nof Social Security numbers (SSN). Fifteen Offices of Inspector General (OIGs) participated in\nthis joint review to assess SSN controls within their respective agency.\n\nThe SSN was created in 1936 as a means of tracking workers' earnings and eligibility for Social\nSecurity benefits. However, over the years, the SSN has become a de facto national identifier\nused by Federal agencies, State and local governments, and private organizations. While a\nnumber of laws and regulations require the use of SSNs for various Federal programs, they\ngenerally impose limitations on how these SSNs may be used.\n\nThe expanded use of the SSN as a national identifier provides a tempting motive for many\nunscrupulous individuals to acquire an SSN and use it for illegal purposes. While no one can\nfully prevent SSN misuse, Federal agencies have some responsibility to limit the risk of\nunauthorized disclosure of SSN information.\n\nUnder the leadership of the Social Security Administration's OIG, the attached review, Federal\nAgencies' Controls over the Access, Disclosure and Use of Social Security Numbers by External\nEntities, presents the results of the President's Council on Integrity said Efficiency's joint review to\ndetermine whether Federal agencies had adequate controls over:\n\n  \xe2\x80\xa2   contractors' access to and use of SSNs,\n  \xe2\x80\xa2   access to individuals' SSNs maintained in agency databases,\n\x0c     \xe2\x80\xa2   non-Government/non-contractor entities' access and use of SSNs, and\n     \xe2\x80\xa2   disclosures of SSNs to external entities.\n\nMost participating OIGs reported their agencies had inadequate controls over (1) contractors'\naccess to and use of SSNs and (2) access to individuals' SSNs maintained in agency databases.\nBased on this information, \\ve concluded that Federal agencies would benefit from strengthening\nsome of their controls over the access, disclosure and use of SSNs by external entities.\n\nAttachment\n\n\n\n\n                                                 2\n\x0c          PRESIDENT'S COUNCIL on INTEGRITY & EFFICIENCY\n                                        March 11,2003\n\n\n\nMEMORANDUM FOR THE HONORABLE GASTON L. GIANNI, JR.\n              VICE CHAIR\n              PRESIDENT'S COUNCIL ON INTEGRITY AND EFFICIENCY\n\n\nFROM:                    Gregory H. Friedman\n                         Chair, Audit Committee\n\nSUBJECT:                 Federal Agencies' Controls over the Access, Disclosure and Use of\n                         Social Security Numbers by External Entities\n\n\nAt the request of the House Ways and Means Committee, Subcommittee on Social Security, and\ndiscussions with the President's Council on Integrity and Efficiency (PCIE), the Social Security\nAdministration's Office of the Inspector General (OIG) led 15 OIGs in determining whether\ntheir respective agencies had adequate controls over:\n\n\xe2\x80\xa2   contractors' access to and use of Social Security numbers (SSN),\n\n\xe2\x80\xa2   access to individuals' SSNs maintained in agency databases,\n\n\xe2\x80\xa2   non-Government/non-contractor entities' access and use of SSNs, and\n\n\xe2\x80\xa2   disclosures of SSNs to external entities.\n\nThe attached report, Federal Agencies' Controls over the Access, Disclosure and Use of Social\nSecurity Numbers by External Entities, provides the results of the joint audit conducted under the\ndirection of the PCIE's Audit Committee. Based on the conditions identified during the audit,\nwe concluded that Federal agencies would benefit by strengthening some of their controls over\nthe access, disclosure and use of SSNs by external entities. Most participating OIGs reported\ntheir agencies had inadequate controls over (1) contractors' access to and use of SSNs and (2)\naccess to individuals' SSNs maintained in agency databases. The participating OIGs either have\nissued or will be issuing individual reports to their respective departments or agencies. These\nreports make recommendations for corrective actions at the department or agency level.\n\n\nAttachment\n\x0c      Report to The President's Council on Integrity\n                      and Efficiency\n\n\nFederal Agencies\xe2\x80\x99 Controls over the Access, Disclosure and\n   use of Social Security Numbers by External Entities\n\n\n\n\n               Social Security Administration\n               Office of the Inspector General\n                       March 11, 2003\n\x0c                                                                       Introduction\nObjective              Our objective was to provide the President\xe2\x80\x99s Council on Integrity\n                       and Efficiency (PCIE) with an assessment of Federal agencies\xe2\x80\x99\n                       controls over the access, disclosure and use of Social Security\n                       numbers (SSN) by external entities.\n\nBackground             The SSN was created in 1936 as a means of tracking workers\xe2\x80\x99\n                       earnings and eligibility for Social Security benefits. However, over\n                       the years, the SSN has become a de facto national identifier used\n                       by Federal agencies, State and local governments, and private\n                       organizations. While a number of laws and regulations require the\n                       use of SSNs for various Federal programs, they generally impose\n                       limitations on how these SSNs may be used.\n\n                       Although no single Federal law regulates the overall use and\n                       disclosure of SSNs by Federal agencies, the Freedom of\n                       Information Act of 1966, the Privacy Act of 1974, and the Social\n                       Security Act Amendments of 1990 generally govern disclosure and\n                       use of SSNs (Appendix A). In addition, a number of Federal laws\n                       lay out a framework for Federal agencies to follow when they\n                       establish information security programs that protect sensitive\n                       personal information, such as SSNs.1\n\n                       The expanded use of the SSN as a national identifier provides a\n                       tempting motive for many unscrupulous individuals to acquire an\n                       SSN and use it for illegal purposes. While no one can fully prevent\n                       SSN misuse, Federal agencies have some responsibility to limit the\n                       risk of unauthorized disclosure of SSN information. Because of\n                       concerns related to perceived widespread sharing of personal\n                       information and occurrences of identity theft, congressional\n                       requesters asked the General Accounting Office (GAO) to study\n                       how, and to what extent, Federal, State and local government\n                       agencies use individuals' SSNs and how these entities safeguard\n                       records or documents containing those SSNs.2 The information the\n\n\n1\n The Government Information Security Reform provisions of the Fiscal Year 2001 Defense Authorization\nAct, Pub. L. No. 106-398, Subtitle G (2000); the Clinger-Cohen Act of 1996, Pub. L. No. 104-106,\nDivision D and E (1996); the Paperwork Reduction Act of 1995, Pub. L. No. 104-13 (1995); the\nComputer Security Act of 1987, Pub. L. No. 100-235 (1988). See also Office of Management and Budget\nguidance, such as Circular A-130.\n2\n Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards\n(GAO-02-352, May 2002).\n\n\n                                                 1\n\x0c                         agencies provided was self-reported, and GAO did not verify the\n                         responses.\n\n                         The Chairman of the Subcommittee on Social Security, House\n                         Ways and Means Committee, requested that the Social Security\n                         Administration's Office of the Inspector General (OIG) look at the\n                         way Federal agencies disseminate and control the use of SSNs.\n                         After consultation with the PCIE, we agreed to serve as audit lead\n                         for 15 participating OIGs (Appendix B) and prepare the final report.\n                         As part of our review, we coordinated with GAO to avoid duplication\n                         of effort. This report serves as a follow-up to GAO's study and\n                         provides a more in-depth analysis of Federal agencies\xe2\x80\x99 SSN\n                         controls related to contractor access, databases, non-Government\n                         access, and disclosure.\n\n                         Most OIGs either have issued or will be issuing individual reports to\n                         their respective departments or agencies. The individual OIG\n                         reports make recommendations for corrective actions at the\n                         department or agency level.\n\nScope and                To accomplish the objective, OIGs\nMethodology\n                         \xe2\x80\xa2   reviewed controls over the use and protection of SSNs within\n                             their respective agency;\n\n                         \xe2\x80\xa2   interviewed agency personnel responsible for controls over the\n                             access, disclosure and use of SSNs;\n\n                         \xe2\x80\xa2   reviewed relevant agency procedures and practices;\n\n                         \xe2\x80\xa2   reviewed applicable laws and regulations;\n\n                         \xe2\x80\xa2   observed selected contractor activities; and\n\n                         \xe2\x80\xa2   reviewed relevant agency audit reports.\n\n                         Each OIG focused its work on one program within its respective\n                         agency.3 As such, the findings in this report should not be\n                         extrapolated to all programs within each agency. See Appendix C\n                         for the specific agency program each OIG reviewed.\n\n\n\n\n3\n    The Department of Defense assessed SSN controls for three programs.\n\n\n                                                   2\n\x0c                             Results of Review\nDespite Federal agencies\xe2\x80\x99 safeguards to prevent improper access,\ndisclosure and use of SSNs by external entities, agencies remained\nat-risk to such activity. Of the 15 agencies reviewed,\n\n\xe2\x80\xa2   14 lacked adequate controls over contractors' access to and use\n    of SSNs,\n\n\xe2\x80\xa2   9 had inadequate controls over access to SSNs maintained in\n    their computer systems,\n\n\xe2\x80\xa2   2 did not have adequate controls over non-Government and/or\n    non-contractor entities' access to and use of SSNs, and\n\n\xe2\x80\xa2   1 did not make legal and informed SSN disclosures.\n\nFederal Agencies Placed Safeguard Requirements\non Contractors But Lacked Adequate SSN Controls\nFederal agencies often use contractors to assist them in carrying\nout their statutory responsibilities. These contracts often contain\nstandard language related to safeguarding personal information.\nContracts may also contain penalty provisions for contractor misuse\nof information. Federal agencies incorporate different practices to\nensure they have appropriate controls over contractor access to\nand use of SSNs. These include, but are not limited to, passwords\nand computer identifications; access to information on a need to\nknow basis; periodic review of current computer users; staff and\ncontractor confidentiality agreements; security awareness training;\nand secure work areas.\n\nAlthough Federal agencies generally placed these safeguard\nrequirements on contractors, 14 (93 percent) of 15 OIGs reported\ninadequate controls over contractors\xe2\x80\x99 access to and use of SSNs.\nFor example, eight agencies had not performed site inspections to\nensure contractors had upheld their obligation to protect the\nconfidentiality and security of SSNs. One agency, which performed\non-site inspections, did not adequately address the security of\npersonal identifying information, such as SSNs. Moreover, two\nOIGs raised concerns about controls over contractors\xe2\x80\x99 security\npractices for file storage; one noted instances in which contractors\nmaintained personal identifying information in unlocked file cabinets\nor storage rooms, and another noted that several agency\n\n\n\n                       3\n\x0ccontractors left sensitive records on desktops or open shelves after\nnormal working hours.\n\nTwo OIGs also reported problems regarding contractors\xe2\x80\x99 access to\nFederal agencies' databases. For example, these OIGs identified\ninstances in which their agencies granted system access to\ncontractors before they completed background security\ninvestigations. Additionally, one agency lacked adequate controls\nfor deleting contractors\xe2\x80\x99 system access after they left the agency.\nMoreover, one agency did not have a process in place that\nsystematically identified contractors who had access to sensitive\ninformation.\n\nTwo OIGs also identified instances in which agency contracts\nlacked the Privacy Act notice or the agency had no contract at all.\nFor example, 1 agency had omitted the Privacy Act clause in\n11 of 16 contracts. Another OIG noted instances in which\ncontractors had access to personal data, although no Memorandum\nof Understanding existed between the agency and the contractor.\nAppendix C identifies the OIGs that reported their respective\nagencies had inadequate controls over contractors\xe2\x80\x99 access to and\nuse of SSNs.\n\nFederal Agencies Placed Controls over Access to\nIndividuals\xe2\x80\x99 SSNs Maintained in Their Databases, But\nWeaknesses Existed\nFederal agencies that allowed access to their databases generally\nhad standard information security controls in place. Agency\ncontrols included, but were not limited to, security clearances\nbefore granting computer access, computer access controlled by\njob title, unique user identification and passwords, firewalls,\nencrypted data transportation, intrusion detection systems, and\nphysical access controls. In addition, some agencies emphasized\nthe users\xe2\x80\x99 responsibility to safeguard data through written\nagreements and computer screen Privacy Act notices. Although\nagencies limited access to their databases primarily to employees,\nmost agencies also authorized systems access to external entities\nfor specific purposes. For example, some agencies allowed other\nagencies access to their databases to assist in beneficiary eligibility\ndeterminations and provide such services as software design and\nsupport and data processing.\n\nDespite Federal agencies\xe2\x80\x99 safeguards, 9 (60 percent) of 15 OIGs\nreported their respective agencies had inadequate controls over\naccess to SSNs maintained in their databases. For example, one\n\n\n                        4\n\x0c                          agency granted systems access to its employees before completing\n                          background security checks while others were not monitoring user\n                          access to ensure users were still current employees or contractors.\n                          Other identified weaknesses included physical access controls,\n                          implementation and monitoring of technical security configuration\n                          standards and monitoring security violations. Because of the\n                          sensitive nature of information security issues, we chose to\n                          withhold detailed descriptions of information security control\n                          weaknesses identified by OIGs. Appendix C identifies the OIGs\n                          that reported their respective agencies had inadequate controls\n                          over access to SSNs maintained in their databases.\n\n                          Federal Agencies Generally Had Adequate Controls\n                          over Non-Government/Non-Contractor Entities'\n                          Access to and Use of SSNs\n                          Federal agencies generally granted access to and use of SSNs to\n                          those entities whose requests fell under the Freedom of Information\n                          or Privacy Act exclusions. Two OIGs reported their agencies also\n                          granted life insurance and/or pension companies access to\n                          deceased individuals' SSNs.4 However, about half of the OIGs\n                          reported their respective agencies did not grant non-Government\n                          and/or non-contractor entities' access to and use of SSNs.\n\n                          Two (13 percent) of 15 OIGs reported their agencies did not have\n                          adequate controls over non-Government/non-contractor entities'\n                          access to and use of SSNs. One OIG reported its agency had no\n                          standard contract language to include privacy act safeguards.\n                          Another OIG reported its agency did not establish financial\n                          standards for outside parties to meet prior to gaining access to data\n                          containing SSN information. Appendix C identifies the OIGs that\n                          reported their respective agencies had inadequate controls over\n                          non-Government and/or non-contractor entities' access to and use\n                          of SSNs.\n\n                          Federal Agencies Generally Made Legal and Informed\n                          Disclosures of SSNs to External Entities\n                          One (7 percent) of 15 OIGs reported its agency did not make legal\n                          and informed SSN disclosures. This OIG identified instances in\n                          which the agency did not inform research study participants that\n                          providing their SSNs was voluntary. The remaining OIGs reported\n                          their respective agencies generally made legal and informed SSN\n\n4\n    The Privacy Act does not apply to deceased individuals.\n\n\n\n                                                      5\n\x0c                       disclosure to external entities.5 In doing so, agencies included\n                       Privacy Act notices on forms and had matching agreements with\n                       other entities that outlined the agencies\xe2\x80\x99 roles in protecting personal\n                       identifying information. Federal agencies also informed individuals\n                       when they needed to provide their SSN to apply for benefits, by\n                       what legal authority they were requesting the SSN, and how the\n                       agency was going to use the SSN. Federal agencies disclosed\n                       individuals\xe2\x80\x99 SSNs to various external entities, including Federal and\n                       State agencies, insurance companies, universities and researchers.\n\n                       Although the 14 remaining OIGs reported their agencies generally\n                       made legal and informed SSN disclosures, they identified instances\n                       in which agency practices increased the risk external entities may\n                       have improperly obtained and misused SSNs. For example, one\n                       OIG identified instances in which its agency unnecessarily\n                       displayed SSNs on documents it sent to external entities that may\n                       not have had a need to know. Another OIG identified instances in\n                       which its agency inadvertently omitted the Privacy Act notice on\n                       one of its forms, and another OIG identified instances in which its\n                       agency provided SSNs to another agency in error. Appendix C\n                       identifies the OIG that reported its agency made improper\n                       disclosures of SSNs to external entities.\n\n\n\n\n5\n For purposes of this report, we consider SSN disclosure to have occurred when an agency provides an\nSSN to an external entity that did not already have it.\n\n\n                                                  6\n\x0c                                            Conclusion\nSome Federal agencies are at-risk for improper access, disclosure\nand use of SSNs by external entities, despite safeguards to prevent\nsuch activity. We recognize Federal agencies\xe2\x80\x99 efforts cannot\neliminate the potential that unscrupulous individuals may\ninappropriately acquire and misuse SSNs. Nonetheless, we\nbelieve each Federal agency has a duty to safeguard the integrity\nof SSNs by reducing opportunities for external entities to improperly\nobtain and misuse the SSNs. Given the potential risk for\nindividuals to engage in such activity, we believe Federal agencies\nwould benefit by strengthening some of their controls over the\naccess, disclosure and use of SSNs by external entities.\n\n\n\n\n                       7\n\x0c                                                                     Appendix A\nFederal Laws that Restrict Disclosure of the\nSocial Security Number\nThe following Federal laws establish a framework for restricting Social Security number\n(SSN) disclosure.1\n\nThe Freedom of Information Act of 1966 (5 U.S.C. 552)\n\nThe Freedom of Information Act (FOIA) establishes a presumption that records in the\npossession of Executive Branch agencies and departments are accessible to the\npeople. FOIA, as amended, provides that the public has a right of access to Federal\nagency records, except for those records that are protected from disclosure by nine\nstated exemptions. One of these exemptions allows the Government to withhold\ninformation about individuals in personnel and medical files and similar files when the\ndisclosure would constitute a clearly unwarranted invasion of personal privacy.\nAccording to Department of Justice guidance, agencies should withhold SSNs under\nthis FOIA exemption. This statute does not apply to State and local governments.\n\nThe Privacy Act of 1974 (5 U.S.C. 552a)\n\nThe Privacy Act regulates Federal agencies\xe2\x80\x99 collection, maintenance, use and\ndisclosure of personal information maintained by agencies in a system of records. The\nAct prohibits the disclosure of any record contained in a system of records unless the\ndisclosure is made based on a written request or prior written consent of the person to\nwhom the records pertain or is otherwise authorized by law. The Act authorizes\n12 exceptions under which an agency may disclose information in its records.\n\nThe Act contains a number of additional provisions that restrict Federal agencies\xe2\x80\x99 use of\npersonal information. For example, an agency must maintain in its records only such\ninformation about an individual as is relevant and necessary to accomplish a purpose\nrequired by statute or Executive Order of the President, and the agency must collect\ninformation to the greatest extent practicable directly from the individual when the\ninformation may result in an adverse determination about an individual\xe2\x80\x99s rights, benefits\nand privileges under Federal programs.\n\n\n\n\n1\n Summarized from Social Security Numbers: Government Benefits from SSN Use but Could Provide\nBetter Safeguards (GAO-02-352, May 2002).\n\n\n                                              A-1\n\x0cThe Social Security Act Amendments of 1990 (42 U.S.C. 405(c)(2)(C)(viii))2\n\nThe Social Security Act bars disclosure by Federal, State and local governments of\nSSNs collected pursuant to laws enacted on or after October 1, 1990. This provision of\nthe Act also contains criminal penalties for \xe2\x80\x9cunauthorized willful disclosures\xe2\x80\x9d of SSNs.\nBecause the Act specifically cites willful disclosures, careless behavior or inadequate\nsafeguards may not be subject to criminal prosecution. Moreover, applicability of the\nprovision is further limited in many instances because it only applies to disclosure of\nSSNs collected in accordance with laws enacted on or after October 1, 1990. For SSNs\ncollected by Federal entities pursuant to laws enacted before October 1, 1990, this\nprovision does not apply and therefore would not restrict disclosing the SSN. Finally,\nbecause the provision applies to disclosure of SSNs collected pursuant to laws requiring\nSSNs, it is not clear whether the provision also applies to disclosure of SSNs collected\nwithout a statutory requirement to do so. This provision applies to Federal, State and\nlocal governmental agencies; however, the applicability to courts is not clearly spelled\nout in the law.\n\n\n\n\n2\n    Pub. L. No. 101-624 \xc2\xa72201, 104 Stat. 3359, 3951 (1990).\n\n\n                                                   A-2\n\x0c                                                    Appendix B\nParticipating Offices of Inspector General\nDepartment of Agriculture\n\nDepartment of Defense\n\nDepartment of Education\n\nDepartment of Health and Human Services\n\nDepartment of Housing and Urban Development\n\nDepartment of Labor\n\nDepartment of the Treasury\n\nEnvironmental Protection Agency\n\nFederal Deposit Insurance Corporation\n\nNuclear Regulatory Commission\n\nOffice of Personnel Management\n\nRailroad Retirement Board\n\nSmall Business Administration\n\nSocial Security Administration\n\nTreasury Inspector General for Tax Administration\n\x0c                                                                                                                   Appendix C\nSummary of Inadequate Controls Identified\nby Offices of Inspector General (OIG)\n\n                                                                     INADEQUATE CONTROLS IDENTIFIED BY OIGs\n    Federal Agency\n    and Program(s) Reviewed                                                                                                    Legal and\n                                                                                      Access to SSNs   Non-Government/          Informed\n                                                                 Contractor            Maintained in    Non-contractor        Disclosure of\n                                                              Access and Use of          Agency         Access and Use       SSNs to External\n                                                                   SSNs                 Databases          of SSNs               Entities\n\n    Department of Agriculture: Food Stamp Program                      X1                  X1\n    Department of Defense: Defense Manpower Data\n    Center; Army and Air Force Exchange Service,                       X2                  X3\n    and Defense Security Service\n\n    Department of Education: Pell Grant Program                        X                    X\n    Department of Health and Human Services: Food                      X                                                             X\n    and Drug Administration\n\n    Department of Housing and Urban Development:                       X\n    Office of Housing\n\n1\n    Inadequate controls identified at the State/local levels of the Food Stamp Program.\n2\n    Inadequate controls over contractor access and use of SSNs identified in the following Department of Defense agencies: Army and Air Force\n     Exchange Service and Defense Security Service.\n3\n    Inadequate controls over access to SSNs maintained in its databases identified at the Defense Manpower Data Center.\n\n\n                                                                            C-1\n\x0c                                                                Inadequate Controls Identified by OIGs\n\nFederal Agency                                                                                              Legal and\nand Program(s) Reviewed                                                Access to SSNs   Non-Government/      Informed\n                                                      Contractor        Maintained in    Non-contractor    Disclosure of\n                                                   Access and Use of      Agency         Access and Use   SSNs to External\n                                                        SSNs             Databases          of SSNs           Entities\n\nDepartment of Labor: Federal Employee                     X                                   X\nCompensation Act Program\n\nDepartment of the Treasury: Financial                     X                  X\nManagement Service\n\nEnvironmental Protection Agency: Financial\nManagement and Financial Services Divisions\n\nFederal Deposit Insurance Corporation                     X                                   X\nNuclear Regulatory Commission                             X                  X\nOffice of Personnel Management: Retirement and\nInsurance Service, Office of Merit Systems                X                  X\nOversight and Effectiveness, and Investigations\nService\n\nRailroad Retirement Board                                 X                  X\nSmall Business Administration                             X\nSocial Security Administration: Title II Program          X                  X\nTreasury Inspector General for Tax                        X                  X\nAdministration: Internal Revenue Service\n                     TOTALS                               14                 9                2                  1\n\n\n\n                                                               C-2\n\x0c"